User authentication not working even after TR established successfully.

User authentication not working even after TR established successfully.

By: Jay Kumar
user12 Feb 2018 at 6:58 a.m. CST

14 Responses

Hi Gluu team,
The user authentication on our Gluu setup is not working even after TR established successfully and it redirects to oxauth error page. We deleted current TR which was working perfectly and so do the user authentication but after enabling inbound SAML using passport and we added an on-boarding external IdP, TR suddenly stopped working. As per Mohib's suggestion in ticket #5050, I am sharing the latest passport log (generated on Feb 12).
Please find below the pastebin URL for passport log and suggest a solution to resolve this issue.
[passport.log.2018-02-12](https://pastebin.com/7iXNXkmy)
Thank you.

Gluu 3.1.2
Ubuntu 16.04

closed

Answers

By Aliaksandr Samuseu
staff12 Feb 2018 at 1:44 p.m. CST

Hi, Jay.
Please also create and share a HAR file with a capture of the whole failing flow. You can use steps listed [here](https://www.inflectra.com/support/knowledgebase/kb254.aspx) - please use Firefox for that, Chrome's HARs are flawed. Also don't forget to set "Persist log" and "Disable cache" checkboxes in the console to save everything, not just the recently loaded page.

By Jay Kumar
user14 Feb 2018 at 6:02 a.m. CST

Hello Aliaksandr,
Please find below the link for the HAR file generated in Firefox browser as asked by you:
[HAR file](http://dev-sso.taoconnect.org/uploads/har.zip)
Kindly look into the issue and let me know if you need any coordination from our side.
Thank you!

By Jay Kumar
user16 Feb 2018 at 4:45 a.m. CST

Hi Aliaksandr,
Please find below the link for the the oxAuth and Passport logs as asked by you:
[oxAuth and Passport logs](http://dev-sso.taoconnect.org/uploads/oxauth-and-passort-logs.zip)
Please take a look at those logs and suggest a solution.
Thank you.

By Aliaksandr Samuseu
staff16 Feb 2018 at 2:44 p.m. CST

Your Passport's `start.log` contains a bunch of exceptions implying invalid syntax of your `/etc/gluu/conf/passport-saml-config.json`. Please review your configuration there and make sure you specified everything according to the doc.

By Jay Kumar
user19 Feb 2018 at 5:32 a.m. CST

Hi Aliaksandr,
As per the documentation [Inbound SAML using passport.js](https://gluu.org/docs/ce/authn-guide/inbound-saml-passport/) we configured passport-saml-config.json file. After configuration we have generated metadata for our external IdP listed in the passport-saml-config.json file once it successfully validates configuration. We can access our metadata in URL to this format: https://<hostname>/passport/auth/meta/idp/<IDP-id-from-passport-saml-config>. It can also be found under /opt/gluu/node/passport/server/idp-metadata directory within Gluu's chroot container.
If passport-saml-config.json had any errors then how the metadata for external onboarding Idp is generated? Can you please take a look at the passport-saml-config.json content below and correct us if we are missing something?
```
{"jcgluussodev": {"entryPoint": "https://sso.jumpcloud.com/saml2/SSO-jcgluussodev",
"issuer": "jcgluussodev",
"identifierFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
"authnRequestBinding": "HTTP-POST",
"additionalAuthorizeParams": "",
"skipRequestCompression": "true",
"logo_img":"https://chetu-lms.taoconnect.org/theme/taotheme/img/logo.png",
"enable":"true",
"cert":"MIIC5..........Cw=",
"reverseMapping": {
"email" : "email",
"username": "urn:oid:0.9.2342.19200300.100.1.1",
"displayName": "urn:oid:2.16.840.1.113730.3.1.241",
"id": "urn:oid:0.9.2342.19200300.100.1.1",
"name": "urn:oid:2.5.4.42",
"givenName": "urn:oid:2.5.4.42",
"familyName": "urn:oid:2.5.4.4",
"provider" :"issuer"
}
}
}
```
Thank you.

By Jay Kumar
user21 Feb 2018 at 4:50 a.m. CST

Hello Aliaksandr,
Gentle Reminder!!
Have you had a chance to look at the JSON content we added in above comment?
Also, just wanted to update you that when we selected the Default Authentication Method as auth_ldap_server then user authentication via SAML is working fine. But When we chose the Default Authentication Method as passport_saml then SAML user authentication is not working and it redirects to oxauth error page.
Kindly look into this and suggest a solution to resolve this issue.
Thank you.

By Aliaksandr Samuseu
staff21 Feb 2018 at 7:47 a.m. CST

Hi, Jay.
Please note that we don't offer any kind of SLA for community (free) users' tickets. We prioritize tickets of our customers first-first, what sometimes means answers to community tickets may be delayed significantly.
I can't reproduce this kind of issue in my own test local setup. I also don't see any obvious mistakes in your configuration. I'll try to use your `passport-saml-config.json` file next, but you'll need to provide it completely, please don't truncate your certificate like you did in your other post.

By Jay Kumar
user23 Feb 2018 at 7:03 a.m. CST

Hi Aliaksandr,
Have you got the chance to look into the passport-saml-config.json file we provided? Please provide the solution for this issue and let us know if there is anything missing from our side.
Thank you.

By Aliaksandr Samuseu
staff23 Feb 2018 at 3:20 p.m. CST

Hi, Jay.
When I follow steps provided in the doc in my freshly installed 3.1.2 instance, it works fine even with your `passport-saml-config.json`. Thus I can't reproduce your issue. Your log files also don't shed any light on the cause of it.
Unless you'll provide an exact details about your setup and all steps to reproduce it (which still conform to the mentioned documentation, as we can't support you on issues with non-standard setups), I don't see how we can help you.
You'll have to do some research on your own. You already know location of all log files and how to create HAR capture. You can use [this tool](https://toolbox.googleapps.com/apps/har_analyzer/) to view it. Try to experiment a little, monitoring log files, and see whether suspicious errors will pop up. Try to make a fresh, clean install of 3.1.2 package and configure Passport in it according to the doc, documenting each step. See whether you'll get your issue again.

By Jay Kumar
user26 Feb 2018 at 3:55 a.m. CST

Hello Aliaksandr,
As you mentioned it is working fine at your end. So, can you please authenticate one of our user which is created on external directory on JumpCloud (details are mentioned below) and let us know if SSO authentication from JumpCloud's console is working fine.
- User email: jcuser01@yopmail.com
- User Pass: Chetu@123
Thank you.